WO2024244701A1

WO2024244701A1 - Access control method implemented by means of hardware firewall, and hardware firewall in chip

Info

Publication number: WO2024244701A1
Application number: PCT/CN2024/086659
Authority: WO
Inventors: 房晓剑
Original assignee: Sanechips Technology Co Ltd
Current assignee: Sanechips Technology Co Ltd
Priority date: 2023-06-01
Filing date: 2024-04-08
Publication date: 2024-12-05
Anticipated expiration: 2025-12-01
Also published as: CN119109602A

Abstract

Provided in the embodiments of the present disclosure are an access control method implemented by means of a hardware firewall, and a hardware firewall in a chip. The method comprises: by means of a firewall filtering layer corresponding to an access end, receiving an access request which is initiated by the access end to an accessed end, wherein the access request carries a permissions identifier and an access address; according to the access address, determining a target access area from among a plurality of access areas of the accessed end corresponding to the firewall filtering layer; and according to the permissions identifier and the target access area, determining access permissions of the access request, wherein each access area is pre-configured with a mapping relationship between permissions identifiers for allowing access and corresponding access permissions.

Description

An access control method implemented by hardware firewall and an in-chip hardware firewall

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本公开基于2023年06月01日提交的发明名称为“一种通过硬件防火墙实现的访问控制方法及一种芯片内硬件防火墙”的中国专利申请CN202310645888.3，并且要求该专利申请的优先权，通过引用将其所公开的内容全部并入本公开。This disclosure is based on Chinese patent application CN202310645888.3 filed on June 1, 2023, entitled “An access control method implemented by a hardware firewall and a hardware firewall in a chip”, and claims the priority of the patent application, and all the contents disclosed therein are incorporated into this disclosure by reference.

Technical Field

本公开涉及硬件防火墙领域，具体而言，涉及一种硬件防火墙的访问控制方法及一种芯片内硬件防火墙。The present disclosure relates to the field of hardware firewalls, and in particular, to an access control method for a hardware firewall and an in-chip hardware firewall.

Background Art

随着智能芯片的集成度与性能越来越高，其承受的安全威胁也日趋严重。高性能芯片在使用过程中，攻击人员可能会使用软硬件方法植入危险代码到低安全功能区域的模块，从而在芯片运行时由低功能安全区向高功能区发动攻击，篡改相关信息与权限，对芯片功能造成损害。如果攻击波及到汽车控制区域，则可能造成严重的人身安全和财产损失。As the integration and performance of smart chips become higher and higher, the security threats they face are becoming more and more serious. When using high-performance chips, attackers may use software and hardware methods to implant dangerous codes into modules in low-security functional areas, thereby launching attacks from low-function security areas to high-function areas when the chip is running, tampering with relevant information and permissions, and damaging chip functions. If the attack spreads to the car control area, it may cause serious personal safety and property losses.

防火墙通常是基于安全策略对传输信息进行过滤，单纯采用软件级防火墙存在信息过滤效率低、稳定性差、防护能力不全和对中央处理器(Central Processing Unit，简称CPU)负荷大等缺点。通过芯片内集成硬件防火墙功能可有效提升信息过滤能力，减少CPU负担，并增强入侵侦测与防护功能。但大部分芯片内硬件防火墙功能比较简单，主要对CPU访问内存的过程进行限制，对于其他访问端如图形处理器(Graphics Processing Unit，简称GPU)、视频处理单元(Video Processing Unit，简称VPU)、直接内存访问(Direct Memory Access，简称DMA)等master(主)的访问控制较少，对于芯片除内存外的各种外设的权限控制没有效果。防火墙对内存信息隔离也相对粗糙简单，分为安全区和非安全区，对具有多个安全级别区域的权限控制和交互的功能安全作用有限，导致各区域安全等级得不到保证。Firewalls usually filter transmission information based on security policies. The use of software-level firewalls alone has the disadvantages of low information filtering efficiency, poor stability, incomplete protection capabilities, and heavy load on the central processing unit (CPU). By integrating hardware firewall functions in the chip, the information filtering capability can be effectively improved, the CPU burden can be reduced, and the intrusion detection and protection functions can be enhanced. However, the hardware firewall functions in most chips are relatively simple, mainly restricting the process of CPU access to memory, and have less access control for other access terminals such as graphics processing units (GPUs), video processing units (VPUs), and direct memory access (DMAs). There is no effect on the permission control of various peripherals of the chip except memory. The firewall is also relatively rough and simple in isolating memory information, divided into secure areas and non-secure areas, and has limited effect on the permission control and interactive functional security of areas with multiple security levels, resulting in the inability to guarantee the security level of each area.

综上，针对相关技术中硬件防火墙功能单一，权限控制和功能安全作用有限的问题，亟需一种解决方法。In summary, a solution is urgently needed to address the problem that hardware firewalls in related technologies have single functions and limited authority control and functional security effects.

发明内容Summary of the invention

本公开实施例提供了一种通过硬件防火墙实现的访问控制方法及一种芯片内硬件防火墙，以至少解决相关技术中硬件防火墙功能简单，权限控制和功能安全作用有限的问题。The embodiments of the present disclosure provide an access control method implemented by a hardware firewall and an in-chip hardware firewall, so as to at least solve the problem in the related art that the hardware firewall has simple functions and limited authority control and functional security effects.

根据本公开的一个实施例，提供了一种通过硬件防火墙实现的访问控制方法，该方法包括：通过与访问端对应的防火墙过滤层接收访问端向被访问端发起的访问请求，其中，访问请求中携带有权限标识和访问地址；根据访问地址从与防火墙过滤层对应的被访问端的多个访问区域中确定目标访问区域；根据权限标识和目标访问区域确定访问请求的访问权限，其中，每个访问区域预先配置有允许访问的权限标识和对应访问权限的映射关系。 According to an embodiment of the present disclosure, there is provided an access control method implemented by a hardware firewall, the method comprising: receiving an access request initiated by an access end to an accessed end through a firewall filtering layer corresponding to the access end, wherein the access request carries an authority identifier and an access address; determining a target access area from a plurality of access areas of the accessed end corresponding to the firewall filtering layer according to the access address; determining access rights of the access request according to the authority identifier and the target access area, wherein each access area is pre-configured with a mapping relationship between an authority identifier for allowed access and a corresponding access right.

根据本公开的另一个实施例，提供了一种芯片内硬件防火墙，包括：多个防火墙过滤层，其中，每个防火墙过滤层对应一个或多个访问端，每个防火墙过滤层对应多个访问区域，每个访问区域预先配置有允许访问的权限标识和对应访问权限的映射关系；防火墙过滤层，配置为从对应的访问端接收用于访问被访问端的访问请求，并根据访问请求中携带的权限标识和访问地址从对应的被访问端的多个访问区域中确定目标访问区域，根据权限标识和目标访问区域确定访问请求的访问权限。According to another embodiment of the present disclosure, there is provided an in-chip hardware firewall, comprising: a plurality of firewall filter layers, wherein each firewall filter layer corresponds to one or more access terminals, each firewall filter layer corresponds to a plurality of access areas, each access area is pre-configured with a mapping relationship between a permission identifier for allowing access and a corresponding access permission; the firewall filter layer is configured to receive an access request for accessing an accessed terminal from the corresponding access terminal, and determine a target access area from the plurality of access areas of the corresponding accessed terminal according to the permission identifier and the access address carried in the access request, and determine the access permission of the access request according to the permission identifier and the target access area.

根据本公开的又一个实施例，还提供了一种计算机可读的存储介质，该存储介质中存储有计算机程序，其中，该计算机程序被处理器运行时执行上述任一项方法实施例中的步骤。According to another embodiment of the present disclosure, a computer-readable storage medium is provided, in which a computer program is stored, wherein the computer program executes the steps of any of the above method embodiments when executed by a processor.

根据本公开的又一个实施例，还提供了一种电子装置，包括存储器和处理器，该存储器中存储有计算机程序，该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。According to another embodiment of the present disclosure, an electronic device is provided, including a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

图1是本公开实施例的硬件防火墙的访问控制方法的硬件结构框图；FIG1 is a hardware structure block diagram of an access control method of a hardware firewall according to an embodiment of the present disclosure;

图2是根据本公开实施例的硬件防火墙的访问控制方法的流程图；FIG2 is a flow chart of an access control method of a hardware firewall according to an embodiment of the present disclosure;

图3是根据本公开实施例的汽车智能芯片系统的结构示意图；FIG3 is a schematic diagram of the structure of an automotive smart chip system according to an embodiment of the present disclosure;

图4是相关技术中通过页表实现访问控制的流程示意图；FIG4 is a schematic diagram of a process of implementing access control through a page table in the related art;

图5是根据本公开实施例的页表被篡改下的访问控制的流程示意图；FIG5 is a schematic diagram of a flow chart of access control when a page table is tampered with according to an embodiment of the present disclosure;

图6是根据本公开实施例的通过硬件防火墙实现访问控制的流程示意图(一)；FIG6 is a schematic diagram of a process for implementing access control through a hardware firewall according to an embodiment of the present disclosure (I);

图7是根据本公开实施例的通过硬件防火墙实现访问控制的流程示意图(二)；FIG7 is a schematic diagram of a process for implementing access control through a hardware firewall according to an embodiment of the present disclosure (II);

图8是根据本公开实施例的一种芯片内硬件防火墙的结构示意图；FIG8 is a schematic diagram of the structure of an on-chip hardware firewall according to an embodiment of the present disclosure;

图9是根据本公开实施例的对多个访问端权限标识进行配置的示意图；9 is a schematic diagram of configuring multiple access terminal authority identifiers according to an embodiment of the present disclosure;

图10是根据本公开实施例的防火墙访问控制的详细流程示意图。FIG. 10 is a schematic diagram of a detailed flow chart of firewall access control according to an embodiment of the present disclosure.

DETAILED DESCRIPTION

下文中将参考附图并结合实施例来详细说明本公开的实施例。Hereinafter, embodiments of the present disclosure will be described in detail with reference to the accompanying drawings and in combination with the embodiments.

需要说明的是，本公开的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second", etc. in the specification and claims of the present disclosure and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.

本公开实施例中所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在计算机终端上为例，图1是本公开实施例的硬件防火墙的访问控制方法的硬件结构框图，如图1所示，硬件单板可以包括一个或多个(图1中仅示出一个)处理器12(处理器12可以包括但不限于微处理器MCU或可编程逻辑器件等的处理装置)和用于存储数据的存储器14，其中，上述移动终端还可以包括用于通信功能的传输设备16以及输入输出设备18。本领域普通技术人员可以理解，图1所示的结构仅为示意，其并不对上述移动终端的结构造成限定。例如，移动终端还可包括比图1中所示更多或者更少的组件，或者具有与图1所示不同的配置。The method embodiments provided in the embodiments of the present disclosure can be executed in a mobile terminal, a computer terminal or a similar computing device. Taking running on a computer terminal as an example, FIG1 is a hardware structure block diagram of the access control method of the hardware firewall of the embodiment of the present disclosure. As shown in FIG1, the hardware board may include one or more (only one is shown in FIG1) processors 12 (the processor 12 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device) and a memory 14 for storing data, wherein the above-mentioned mobile terminal may also include a transmission device 16 and an input and output device 18 for communication functions. It can be understood by those skilled in the art that the structure shown in FIG1 is only for illustration and does not limit the structure of the above-mentioned mobile terminal. For example, the mobile terminal may also include more or fewer components than those shown in FIG1, or have a configuration different from that shown in FIG1.

存储器14可用于存储计算机程序，例如，应用软件的软件程序以及模块，如本公开实施例中的硬件防火墙的访问控制方法对应的计算机程序，处理器12通过运行存储在存储器14内的计算机程序，从而执行各种功能应用以及硬件防火墙的访问控制方法，即实现上述的方法。存储器14可包括高速随机存储器，还可包括非易失性存储器，如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中，存储器14可进一步包括相对于处理器12远程设置的存储器，这些远程存储器可以通过网络连接至移动终端。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 14 may be used to store computer programs, for example, software programs and modules of application software, such as the computer program corresponding to the access control method of the hardware firewall in the embodiment of the present disclosure. The processor 12 executes the computer program stored in the memory 14 to execute various functional applications and the access control method of the hardware firewall, that is, to implement the above method. The memory 14 may include a high-speed random access memory and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 14 may further include a memory remotely arranged relative to the processor 12, and these remote memories may be connected to the mobile terminal via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

传输设备16用于经由一个网络接收或者发送数据。上述的网络具体实例可包括通信供应商提供的无线网络。在一个实例中，传输设备16包括一个网络适配器(Network Interface Controller，简称为NIC)，其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中，传输设备16可以为射频(Radio Frequency，简称为RF)模块，其用于通过无线方式与互联网进行通讯。The transmission device 16 is used to receive or send data via a network. The specific example of the above network may include a wireless network provided by a communication provider. In one example, the transmission device 16 includes a network adapter (Network Interface Controller, referred to as NIC), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 16 can be a radio frequency (Radio Frequency, referred to as RF) module, which is used to communicate with the Internet wirelessly.

在本公开一实施例中提供了一种硬件防火墙的访问控制方法，图2是根据本公开实施例的硬件防火墙的访问控制方法的流程图，如图2所示，该流程包括如下步骤：In one embodiment of the present disclosure, a method for access control of a hardware firewall is provided. FIG. 2 is a flow chart of the method for access control of a hardware firewall according to an embodiment of the present disclosure. As shown in FIG. 2 , the process includes the following steps:

步骤S202，通过与访问端对应的防火墙过滤层接收访问端向被访问端发起的访问请求，其中，访问请求中携带有权限标识和访问地址；Step S202, receiving an access request initiated by the access end to the accessed end through the firewall filtering layer corresponding to the access end, wherein the access request carries an authority identifier and an access address;

步骤S204，根据访问地址从与所述防火墙过滤层对应的被访问端的多个访问区域中确定目标访问区域；Step S204, determining a target access area from a plurality of access areas of the accessed terminal corresponding to the firewall filtering layer according to the access address;

步骤S206，根据权限标识和目标访问区域确定访问请求的访问权限，其中，每个访问区域预先配置有允许访问的权限标识和对应访问权限的映射关系。Step S206: determining the access rights of the access request according to the permission identifier and the target access area, wherein each access area is pre-configured with a mapping relationship between the permission identifier allowed to access and the corresponding access rights.

在本公开实施例中，通过步骤S202至步骤S206，可以解决相关技术中硬件防火墙功能单一，权限控制和功能安全作用有限的问题，通过设置权限标识和访问区域对访问端和被访问端同时进行控制，可以有效提高芯片的信息安全和功能安全，减少外部攻击对敏感信息的窃取和对关键安全区域的权限控制与侵入。In the embodiment of the present disclosure, through steps S202 to S206, the problem of single hardware firewall function and limited authority control and functional security in related technologies can be solved. By setting authority identification and access areas to control the access end and the accessed end at the same time, the information security and functional security of the chip can be effectively improved, and the theft of sensitive information and authority control and intrusion into key security areas by external attacks can be reduced.

在一示例性实施例中，在步骤S202之前，需要对防火墙的过滤功能进行配置，具体可以包括以下步骤：In an exemplary embodiment, before step S202, the filtering function of the firewall needs to be configured, which may specifically include the following steps:

根据访问端的设备类型分别设置每一种设备类型对应的防火墙过滤层；Set the firewall filter layer corresponding to each device type according to the device type of the access end;

为每一个所述防火墙过滤层分别配置多个访问区域，其中，所述多个访问区域具有不同的地址范围；Configuring a plurality of access zones for each of the firewall filter layers, wherein the plurality of access zones have different address ranges;

为每一个所述访问区域分别配置允许访问的权限标识和所述访问权限的映射关系。A mapping relationship between an access permission identifier and the access permission is configured for each access area.

进一步的，以双倍速率同步动态随机存储器(Double Data Rate SDRAM，简称DDR SDRAM)DDR内存为例，DDR为被访问端，可以将DDR分为Region0和Region1两部分，Region0的安全等级高，Region1的安全等级低，用于数据共享。Furthermore, taking Double Data Rate SDRAM (DDR SDRAM for short) DDR memory as an example, DDR is the accessed end, and DDR can be divided into two parts: Region0 and Region1. Region0 has a high security level, and Region1 has a low security level, and is used for data sharing.

在本公开实施例中，通过为每个区域分配内存访问权限和内存属性，可以防止用户应用程序损坏操作系统使用的数据；防止不受信任的应用程序出于侵犯知识产权的目的访问受保护的内存区域；允许将内存区域定义为只读，以便保护重要数据；阻止非正常访问，提供存储保护、外设保护、特权代码访问控制保护。In the disclosed embodiments, by assigning memory access permissions and memory attributes to each area, user applications can be prevented from damaging data used by the operating system; untrusted applications can be prevented from accessing protected memory areas for the purpose of infringing intellectual property rights; memory areas can be defined as read-only to protect important data; abnormal access is blocked, and storage protection, peripheral protection, and privileged code access control protection are provided.

在一示例性实施例中，每个防火墙可以支持4个过滤层(filter)和9个访问区域(region)。但本公开并不限制于此。In an exemplary embodiment, each firewall can support 4 filter layers and 9 access regions, but the present disclosure is not limited thereto.

在一示例性实施例中，步骤S204可以包括以下步骤：In an exemplary embodiment, step S204 may include the following steps:

步骤S2042，将所述访问地址分别与所述多个访问区域中每个访问区域的地址范围进行匹配； Step S2042, matching the access address with the address range of each access area in the multiple access areas respectively;

步骤S2044，将地址范围包括所述访问地址的访问区域确定为目标访问区域。Step S2044: determine an access area whose address range includes the access address as a target access area.

在一示例性实施例中，步骤S204还可以包括：In an exemplary embodiment, step S204 may further include:

步骤S2046，在所述多个访问区域的地址范围均不包括所述访问地址的情况下，将预设的基本访问区域确定为目标访问区域，其中，所述基本访问区域为所述被访问端的访问区域的一部分，为所述基本访问区域预先配置有允许访问的权限标识和对应访问权限的映射关系。Step S2046, when the address ranges of the multiple access areas do not include the access address, a preset basic access area is determined as the target access area, wherein the basic access area is a part of the access area of the accessed end, and the basic access area is pre-configured with a mapping relationship between the permission identifier allowed to access and the corresponding access permission.

在一示例性实施例中，步骤S206可以包括：根据所述目标访问区域查询预先配置的所述映射关系，并将与所述权限标识对应的访问权限确定为所述访问请求的访问权限。In an exemplary embodiment, step S206 may include: querying the pre-configured mapping relationship according to the target access area, and determining the access right corresponding to the permission identifier as the access right of the access request.

进一步的，访问区域中可以只对允许访问的权限标识进行配置，也可以选择对所有允许访问的ID和拒绝访问的ID都进行配置，允许访问的ID对应访问权限为可读/可写/可读写，拒绝访问的ID对应访问权限为不可读写。Furthermore, in the access area, only the permission identifiers for allowed access can be configured, or all IDs for allowed access and IDs for denied access can be configured. The access rights corresponding to the IDs for allowed access are read/write/read and write, and the access rights corresponding to the IDs for denied access are not read and write.

在另一示例性实施例中，访问请求中还携带有所述访问端或业务模块的安全属性。进一步的，步骤S206可以包括以下步骤：In another exemplary embodiment, the access request also carries the security attributes of the access terminal or service module. Further, step S206 may include the following steps:

步骤S2062，在所述安全属性为安全的情况下，确定所述访问请求的访问权限为与所述目标访问区域对应的预定权限；Step S2062, when the security attribute is secure, determining that the access permission of the access request is a predetermined permission corresponding to the target access area;

步骤S2064，在所述安全属性为非安全的情况下，根据所述目标访问区域查询预先配置的所述映射关系，并将与所述权限标识对应的访问权限确定为所述访问请求的访问权限。Step S2064, when the security attribute is non-secure, query the pre-configured mapping relationship according to the target access area, and determine the access permission corresponding to the permission identifier as the access permission of the access request.

进一步的，每个访问区域可以针对安全等级较高的访问端(master)进行统一的访问控制，根据每个访问区域的安全等级可以将对应的预定权限(即最高访问权限)设置为不可读写、只读、可读写等，可以更加快速的确定访问权限，提高访问请求的响应速度。再针对其他的非安全访问端/业务模块，通过权限标识进行细粒度控制，保障了安全控制效果。Furthermore, each access area can perform unified access control for access terminals (masters) with higher security levels. According to the security level of each access area, the corresponding predetermined permissions (i.e., the highest access permissions) can be set to non-readable, read-only, readable and writable, etc., which can more quickly determine access permissions and improve the response speed of access requests. For other non-secure access terminals/business modules, fine-grained control is performed through permission identification to ensure the security control effect.

通过本公开实施例，可以支持分组控制和粒度控制方法，能有效降低权限控制的复杂程度，提高对地址范围的控制精度，减少资源使用。Through the embodiments of the present disclosure, group control and granularity control methods can be supported, which can effectively reduce the complexity of authority control, improve the control accuracy of address ranges, and reduce resource usage.

在一示例性实施例中，该方法还包括：In an exemplary embodiment, the method further comprises:

在所述访问请求的访问权限被确定为不可读写的情况下，拒绝所述访问请求；If the access permission of the access request is determined to be not readable or writable, denying the access request;

在所述访问请求的访问权限被确定为读或写中的至少一种的情况下，允许所述访问请求。In a case where the access right of the access request is determined to be at least one of read or write, the access request is permitted.

在一示例性实施例中，所述访问端包括一个或多个业务模块；访问权限相同的访问端和/或业务模块对应的权限标识相同；访问权限不同的访问端和/或业务模块对应的权限标识不同。In an exemplary embodiment, the access terminal includes one or more business modules; the access terminals and/or business modules with the same access rights have the same permission identifiers; the access terminals and/or business modules with different access rights have different permission identifiers.

进一步的，为了方便管理访问权限，可以设置预设数量的权限标识。在访问端数量少于该预设数量的情况下，可以为每个访问端分配不同的权限标识，但在访问端数量较多的情况下，可以将安全等级或访问权限相同的访问端分为一组，为每组分配一个权限标识。如果一个访问端包含不同安全等级的业务模块，则需要为每个业务模块分别配置权限标识。Furthermore, in order to facilitate the management of access rights, a preset number of permission identifiers may be set. When the number of access terminals is less than the preset number, a different permission identifier may be assigned to each access terminal. However, when the number of access terminals is large, access terminals with the same security level or access rights may be grouped together, and a permission identifier may be assigned to each group. If an access terminal contains business modules with different security levels, a permission identifier needs to be configured for each business module.

在一示例性实施例中，根据预设安全等级规范，芯片系统被划分为多个预设的功能安全等级域，其中，每个功能安全等级域包括多个访问端和多个被访问端；每个功能安全等级域具有一个硬件防火墙，其中，所述硬件防火墙用于对对应功能安全等级域内的被访问端进行访问控制；所述访问端和/或业务模块的权限标识是由所处功能安全等级域内安全等级最高的业务模块配置的。In an exemplary embodiment, according to a preset security level specification, the chip system is divided into multiple preset functional safety level domains, wherein each functional safety level domain includes multiple access terminals and multiple accessed terminals; each functional safety level domain has a hardware firewall, wherein the hardware firewall is used to perform access control on the accessed terminals within the corresponding functional safety level domain; the permission identifier of the access terminal and/or business module is configured by the business module with the highest security level in the functional safety level domain.

进一步的，以汽车智能芯片领域为例，预设安全等级规范可以为汽车安全完整性等级(Automotive Safety Integration Level，简称ASIL)。Furthermore, taking the field of automotive smart chips as an example, the preset safety level specification can be the Automotive Safety Integration Level (ASIL).

在本公开实施例中，通过为每个功能安全等级域配置一个硬件防火墙，并分别为每个硬件防火墙的访问区域(region)、标识(ID)与对应访问权限的映射关系进行配置，进而实现对不同功能安全等级域的硬件隔离和控制，避免高功能安全的区域被低功能安全的区域影响，同时也能够避免高功能安全业务被低功能安全业务影响。In the embodiment of the present disclosure, a hardware firewall is configured for each functional safety level domain, and each hardware firewall is configured The mapping relationship between the access area (region) and identification (ID) of the software firewall and the corresponding access rights is configured to achieve hardware isolation and control of domains with different functional safety levels, thereby preventing high functional safety areas from being affected by low functional safety areas, and also preventing high functional safety services from being affected by low functional safety services.

在一示例性实施例中，在步骤S204之前，该方法还包括：通过内存管理单元(Memory Management Unit，简称MMU)或系统内管理单元(System Memory Management Unit，简称SMMU)中的页表将所述访问请求中的虚拟地址转换成物理地址，其中，所述访问地址为物理地址。In an exemplary embodiment, before step S204, the method further includes: converting the virtual address in the access request into a physical address through a page table in a memory management unit (Memory Management Unit, MMU) or a system memory management unit (System Memory Management Unit, SMMU), wherein the access address is a physical address.

在本实施例中，MMU/SMMU可以通过页表对虚拟地址和物理地址进行转换以及访问控制，其分别对用户态、内核态和外设等虚拟地址进行映射，转换到对应的物理地址，并在页表设置权限属性，进行访问控制与区域隔离。In this embodiment, the MMU/SMMU can convert virtual addresses and physical addresses and control access through the page table. It maps virtual addresses of user state, kernel state, and peripherals respectively, converts them to corresponding physical addresses, and sets permission attributes in the page table to perform access control and regional isolation.

在一示例性实施例中，访问端(master)可以包括以下至少之一：中央处理器(Central Processing Unit，简称CPU)、图形处理器(Graphics Processing Unit，简称GPU)、视频处理器(Video Processing Unit，简称VPU)、存储设备、神经网络处理器(Neural network Processing Unit，简称NPU)、硬件安全模块(Hardware Security Module，简称HSM)、安全加解密引擎、直接存储器访问(Direct Memory Access，简称DMA)以及外部设备。In an exemplary embodiment, the access end (master) may include at least one of the following: a central processing unit (CPU), a graphics processing unit (GPU), a video processor (VPU), a storage device, a neural network processor (NPU), a hardware security module (Hardware Security Module, HSM), a security encryption and decryption engine, a direct memory access (DMA), and an external device.

进一步的，访问端还可以包括图像信号处理(Image Signal Process，简称ISP)、数字信号处理(Digital Signal Processing，简称DSP)、数据处理单元(Data Process Unit，简称DPU)Furthermore, the access end may also include image signal processing (Image Signal Process, referred to as ISP), digital signal processing (Digital Signal Processing, referred to as DSP), and data processing unit (Data Process Unit, referred to as DPU)

在一示例性实施例中，被访问端可以包括以下至少之一：存储设备和外设寄存器。In an exemplary embodiment, the accessed end may include at least one of the following: a storage device and a peripheral register.

在一示例性实施例中，硬件防火墙可以支持bypass(旁路)调试模式，通过绕开防火墙的方式进行系统功能调试，从而减少故障排除的复杂度；In an exemplary embodiment, the hardware firewall may support a bypass debugging mode, and debug the system functions by bypassing the firewall, thereby reducing the complexity of troubleshooting;

在一示例性实施例中，硬件防火墙可以支持错误上报机制，对于错误位置、访问信息(地址、属性等)能够及时准确上报，提高诊断效率。进一步的，防火墙还可以记录并上报被拒绝的访问请求，以便用户及时发现并处理潜在风险问题。In an exemplary embodiment, the hardware firewall can support an error reporting mechanism, and can report the error location and access information (address, attributes, etc.) in a timely and accurate manner to improve diagnostic efficiency. Furthermore, the firewall can also record and report rejected access requests so that users can promptly discover and handle potential risk issues.

通过本公开实施例，可以达到访问控制和权限设定的功能，解决相关技术中硬件防火墙功能简单，权限控制和功能安全作用有限的问题，对不同功能安全等级域以及安全/非安全业务的权限进行精准控制，提高了整个芯片系统的信息安全和功能安全。Through the embodiments of the present disclosure, the functions of access control and permission setting can be achieved, and the problems in related technologies such as simple hardware firewall functions and limited permission control and functional safety effects can be solved. The permissions of different functional security level domains and secure/non-secure services can be accurately controlled, thereby improving the information security and functional safety of the entire chip system.

本公开实施例可应用于多功能高性能集成芯片，特别是芯片的安全防护领域，包括但不限于座舱芯片、自动驾驶芯片、手机芯片、计算机芯片、人工智能芯片等。以汽车智能芯片领域为例，当前汽车智能芯片系统主要包括有数字仪表系统，辅助驾驶系统和信息娱乐系统等，不同系统的功能和安全等级不同。The disclosed embodiments can be applied to multifunctional high-performance integrated chips, especially in the field of chip security protection, including but not limited to cockpit chips, autonomous driving chips, mobile phone chips, computer chips, artificial intelligence chips, etc. Taking the field of automotive smart chips as an example, the current automotive smart chip systems mainly include digital instrument systems, assisted driving systems, and infotainment systems, etc., and different systems have different functions and security levels.

图3是根据本公开实施例的汽车智能芯片系统的结构示意图，如图3所示，汽车智能芯片系统按照功能和安全属性可以分为以下几种功能安全等级域：FIG3 is a schematic diagram of the structure of an automotive smart chip system according to an embodiment of the present disclosure. As shown in FIG3 , the automotive smart chip system can be divided into the following functional safety level domains according to functions and safety attributes:

高性能计算域32、车规域(ASIL-B)34、车规域(ASIL-D)36以及安全岛(ASIL-D)38。High performance computing domain 32, automotive regulation domain (ASIL-B) 34, automotive regulation domain (ASIL-D) 36 and safety island (ASIL-D) 38.

在本实施例中，高性能计算域32仅涉及信息安全，车规域(ASIL-B)、车规域(ASIL-D)以及安全岛(ASIL-D)涉及功能安全，安全岛(ASIL-D)的安全等级最高。In this embodiment, the high-performance computing domain 32 only involves information security, the automotive domain (ASIL-B), automotive domain (ASIL-D) and safety island (ASIL-D) involve functional safety, and the safety island (ASIL-D) has the highest safety level.

在本实施例中，每个域内都包含有大算力CPU、GPU、存储设备、NPU设备、多路显示接口，并支持各种丰富的车规外设，可以支持3D图形显示、深度学习、计算机视觉、音视频编解码等各种复杂功能。In this embodiment, each domain contains a high-computing CPU, GPU, storage device, NPU device, multi-channel display interface, and supports a variety of rich automotive peripherals, which can support 3D graphics display, deep learning, computer vision, audio and video encoding, etc. Decoding and other complex functions.

在本实施例中，高性能计算域32的硬件为高性能A核处理器和各种外设模块。A核高性能处理器安全等级较低，但性能和算力比较强，上面运行Linux或Android等高性能操作系统(HLOS)，其主要负责运行娱乐系统、仪表显示和环境感知等高算力功能。In this embodiment, the hardware of the high-performance computing domain 32 is a high-performance A-core processor and various peripheral modules. The A-core high-performance processor has a lower security level, but has relatively strong performance and computing power. It runs a high-performance operating system (HLOS) such as Linux or Android, which is mainly responsible for running high-computing functions such as entertainment systems, instrument displays, and environmental perception.

在本实施例中，车规域(ASIL-B)34由四个实时计算的R核组成，其上运行FreeRTOS操作系统，主要负责传感器信号采集、车身舒适系统、规控、空调车窗和悬架控制等功能。In this embodiment, the automotive domain (ASIL-B) 34 is composed of four real-time computing R cores, on which the FreeRTOS operating system runs, and is mainly responsible for sensor signal acquisition, body comfort system, regulatory control, air conditioning windows and suspension control and other functions.

在本实施例中，车规域(ASIL-D)36为实现ASIL-D功能安全，采用两个R核进行双核锁定，其上运行汽车通用控制系统AUTOSAR OS。其主要负责对安全要求特别高的功能，如车辆控制、动力控制、能量管理和底盘功能。In this embodiment, the automotive domain (ASIL-D) 36 uses two R cores for dual-core locking to achieve ASIL-D functional safety, and runs the automotive general control system AUTOSAR OS on it. It is mainly responsible for functions with particularly high safety requirements, such as vehicle control, power control, energy management, and chassis functions.

在本实施例中，安全岛(ASIL-D)38同样采用两个R核进行双核锁定实现ASIL-D功能，其所有的系统组件与其他域独立，不受其他域的功能影响，主要进行安全监测和关键数据保存。In this embodiment, the safety island (ASIL-D) 38 also uses two R cores for dual-core locking to achieve ASIL-D functions. All its system components are independent of other domains and are not affected by the functions of other domains. It mainly performs safety monitoring and key data storage.

将上述任一申请实施例中的访问控制方法应用于汽车智能芯片系统中，可以保证各个域在交互过程中不影响彼此的功能安全等级。通过设置权限标识(ID)和访问权限，可以控制高性能计算域不影响功能安全区域，低功能安全域对高功能安全域访问，允许读，不允许写。进一步的，如果读会引起其它副作用，比如对先进先出队列(First InFirst Out，简称FIFO)的读，则应该禁止访问。同时可以对同功能安全域内的业务进行区分，在低功能安全业务与高功能安全业务之间实现隔离。Applying the access control method in any of the above application embodiments to the automotive smart chip system can ensure that each domain does not affect each other's functional safety level during the interaction process. By setting the permission identification (ID) and access rights, the high-performance computing domain can be controlled not to affect the functional safety area, and the low-functional safety domain can access the high-functional safety domain, allowing reading but not writing. Furthermore, if reading will cause other side effects, such as reading the first-in-first-out queue (First In First Out, referred to as FIFO), access should be prohibited. At the same time, the services within the same functional safety domain can be distinguished, and isolation can be achieved between low-functional safety services and high-functional safety services.

图4是相关技术中通过页表实现访问控制的流程示意图，如图4所示，MMU/SMMU通过页表对虚拟地址和物理地址进行转换以及访问控制。其分别对用户态、内核态和外设等虚拟地址进行映射，转换到对应的物理地址，并在页表设置权限属性，进行访问控制与区域隔离。FIG4 is a flow chart of implementing access control through page tables in the related art. As shown in FIG4, MMU/SMMU converts virtual addresses and physical addresses and performs access control through page tables. It maps virtual addresses such as user state, kernel state, and peripherals, converts them to corresponding physical addresses, and sets permission attributes in the page table to perform access control and regional isolation.

进一步的，内存、页表由运行于A核上的操作系统(Operating System，简称OS)管理，访问源的访问范围和权限控制由OS操作页表来完成，包括MMU和SMMU的页表。页表存放于DDR中，MMU中存储页表的缓存为地址变换高速缓存(Translation Look-aside Buffer，简称TLB)。页表控制权限包括数据读、写、可执行，前两者对应数据通路，后者对应指令通路。Furthermore, the memory and page table are managed by the operating system (OS) running on the A core, and the access scope and permission control of the access source are completed by the OS operating the page table, including the page table of MMU and SMMU. The page table is stored in DDR, and the cache storing the page table in MMU is the translation look-aside buffer (TLB). The page table control permissions include data read, write, and executable. The first two correspond to the data path, and the latter corresponds to the instruction path.

图5是根据本公开实施例的页表被篡改下的访问控制的流程示意图，如图5所示，左边为查询页表后直接访问内存的示例，右边为查询页表后通过防火墙访问内存的示例。FIG5 is a flowchart of access control when the page table is tampered with according to an embodiment of the present disclosure. As shown in FIG5 , the left side is an example of directly accessing the memory after querying the page table, and the right side is an example of accessing the memory through the firewall after querying the page table.

在本实施例中，当页表功能正常没有被篡改时，非安全访问端(master)访问内存时，首先会使用MMU查询页表，如果访问地址为非安全区域，MMU会将虚拟地址转换为物理地址，对内存非安全区域数据进行访问。如果访问地址为安全区域，MMU会根据页表权限属性拒绝该非安全访问端访问，从而完成安全区域与非安全区域的访问隔离。In this embodiment, when the page table function is normal and has not been tampered with, when the non-secure access end (master) accesses the memory, it will first use the MMU to query the page table. If the access address is in the non-secure area, the MMU will convert the virtual address into a physical address to access the data in the non-secure area of the memory. If the access address is in the secure area, the MMU will deny the non-secure access end access according to the page table permission attributes, thereby completing the access isolation between the secure area and the non-secure area.

在本实施例中，当MMU/SMMU页表权限被非法篡改时，如果是在查询页表后直接访问内存，则此时非安全访问端可以通过被篡改页表访问到DDR内的安全数据，从而带来安全风险。In this embodiment, when the MMU/SMMU page table permissions are illegally tampered with, if the memory is directly accessed after querying the page table, the non-secure access end can access the secure data in the DDR through the tampered page table, thereby bringing security risks.

在本实施例中，如果使用防火墙在DDR接口上进行访问过滤，对于非安全访问端，即使页表被非法篡改，其访问安全数据依然会被拦截，只能访问其有权限的特定区域。In this embodiment, if a firewall is used to perform access filtering on the DDR interface, for a non-secure access end, even if the page table is illegally tampered with, its access to secure data will still be blocked, and it can only access specific areas to which it has permission.

通过本公开实施例，从被访问端进一步加强了数据安全防护，可以避免数据中转流程中 (例如页表被非法篡改)产生的安全风险。Through the embodiments of the present disclosure, data security protection is further strengthened from the accessed end, which can avoid data transfer process. (For example, the page table is illegally tampered with) resulting in security risks.

图6是根据本公开实施例的通过硬件防火墙实现访问控制的流程示意图(一)，应用于高性能计算域。如图6所示，在高性能计算域(A核)内，防火墙可以对不同访问端访问计算域DDR的过程分别进行权限控制。Figure 6 is a schematic diagram of a process of implementing access control through a hardware firewall according to an embodiment of the present disclosure (I), which is applied to a high-performance computing domain. As shown in Figure 6, within the high-performance computing domain (core A), the firewall can perform permission control on the process of different access terminals accessing the computing domain DDR.

在本实施例中，高性能计算域中的访问端包括：A核处理器、安全OS、非安全OS、硬件安全模块HSM、加解密引擎、直接存储器访问DMA；被访问端包括DDR和外设。In this embodiment, the access end in the high-performance computing domain includes: A core processor, secure OS, non-secure OS, hardware security module HSM, encryption and decryption engine, direct memory access DMA; the accessed end includes DDR and peripherals.

在本实施例中，内存DDR被防火墙分为安全访问区域(region)和非安全访问区域，实现了安全数据与非安全数据的物理隔离。In this embodiment, the memory DDR is divided into a secure access area (region) and a non-secure access area by a firewall, thereby achieving physical isolation of secure data and non-secure data.

进一步的，内存DDR可以分为多个不同安全等级的访问区域，并通过编号“region+数字”进行区分，其中，region0可以为预设的基本访问区域。本公开对访问区域的数量不做限制。Furthermore, the memory DDR can be divided into multiple access regions with different security levels, and distinguished by numbers "region+number", wherein region0 can be a preset basic access region. The present disclosure does not limit the number of access regions.

在本实施例中，A核处理器有安全态和非安全态两种，即安全OS和非安全OS，其中安全态可以访问整个DDR数据，非安全态只能访问非安全数据，禁止读写安全数据。In this embodiment, the A core processor has two states: secure state and non-secure state, namely secure OS and non-secure OS. The secure state can access the entire DDR data, while the non-secure state can only access non-secure data and is prohibited from reading and writing secure data.

在本实施例中，硬件安全模块HSM和加解密引擎等安全模块主要负责高安全信息及加解密服务，其安全等级较高，可以正常访问整个DDR数据，而对于非安全模块如DMA其主要负责搬运数据，只能对非安全数据进行操作，安全数据则禁止读写。In this embodiment, security modules such as the hardware security module HSM and the encryption and decryption engine are mainly responsible for high-security information and encryption and decryption services. They have a high security level and can access the entire DDR data normally. Non-security modules such as DMA are mainly responsible for moving data and can only operate on non-security data. Reading and writing of security data is prohibited.

在本公开实施例中，可以通过硬件防火墙保护高性能计算域内的信息安全，保障了安全数据不能被非安全的访问端获取/破坏。In the disclosed embodiments, the information security within the high-performance computing domain can be protected by a hardware firewall, ensuring that secure data cannot be obtained/destroyed by non-secure access terminals.

图7是根据本公开实施例的通过硬件防火墙实现访问控制的流程示意图(二)，应用于高性能计算域和车规域(ASIL-B)。如图7所示，为高性能计算域(A核)与车规域(R核)同时访问车规域(ASIL-B)内DDR过程中的防火墙读写权限控制。Figure 7 is a schematic diagram of the process of implementing access control through a hardware firewall according to an embodiment of the present disclosure (II), which is applied to the high-performance computing domain and the automotive domain (ASIL-B). As shown in Figure 7, the firewall read and write permission control during the process of the high-performance computing domain (A core) and the automotive domain (R core) accessing the DDR in the automotive domain (ASIL-B) at the same time.

在本实施例中，高性能计算域和车规域(ASIL-B)分别设置有一个硬件防火墙，用于对当前域内的被访问端进行访问控制。In this embodiment, a hardware firewall is provided in each of the high-performance computing domain and the automotive domain (ASIL-B) for performing access control on the accessed end in the current domain.

在本实施例中，车规域(ASIL-B)内DDR被分为两部分，Region0的安全等级高，Region1的安全等级低，用于数据共享。但本公开并不限制于此，访问区域数量和编号对应的安全等级高低可以根据实际需求调整。In this embodiment, the DDR in the automotive domain (ASIL-B) is divided into two parts, Region 0 has a high security level, and Region 1 has a low security level, which is used for data sharing. However, the present disclosure is not limited to this, and the number of access areas and the corresponding security level can be adjusted according to actual needs.

在本实施例中，当高性能计算域中的A核和DMA对车规域(ASIL-B)的内存进行访问时，防火墙会根据访问来源控制访问区域和权限，由于A核的安全等级低于车规域，因此可以将防火墙配置为：A核只能读取Region0区域，不能写入Region0区域，但可以自由读写Region1区域，方便与R核进行数据交互。In this embodiment, when core A and DMA in the high-performance computing domain access the memory of the automotive domain (ASIL-B), the firewall will control the access area and permissions based on the access source. Since the security level of core A is lower than that of the automotive domain, the firewall can be configured as follows: core A can only read Region0 and cannot write to Region0, but can freely read and write Region1, which facilitates data interaction with core R.

在本实施例中，对于R核访问车规域内存时，由于安全等级为ASIL-B符合要求，因此其对于Region0和Region1则能够自由读写。In this embodiment, when the R core accesses the vehicle-specification domain memory, it can freely read and write Region0 and Region1 because the safety level is ASIL-B and meets the requirements.

在另一示例性实施例中，车规域(ASIL-B)中的R核对于更高等级的安全域的内存访问(如车规域ASIL-D)会受到车规域(ASIL-D)内的防火墙限制。In another exemplary embodiment, memory access by an R core in the automotive domain (ASIL-B) to a higher level safety domain (such as the automotive domain ASIL-D) is restricted by a firewall within the automotive domain (ASIL-D).

进一步的，防火墙是根据访问来源的权限标识(ID)进行控制的。具体可以通过为A核和R核设置不同的权限标签来实现。Furthermore, the firewall is controlled according to the permission identification (ID) of the access source, which can be achieved by setting different permission tags for the A core and the R core.

在本公开实施例中，可以通过硬件防火墙实现不同功能安全等级域的硬件隔离，保障了功能安全，即高功能安全的区域不能被低功能安全影响，功能安全区域不能被计算域影响。 In the disclosed embodiments, hardware isolation of domains with different functional safety levels can be achieved through a hardware firewall, thereby ensuring functional safety, that is, areas with high functional safety cannot be affected by areas with low functional safety, and areas with functional safety cannot be affected by computing domains.

图8是根据本公开实施例的一种芯片内硬件防火墙的结构示意图。FIG8 is a schematic diagram of the structure of an on-chip hardware firewall according to an embodiment of the present disclosure.

如图8所示，芯片内硬件防火墙包括：多个防火墙过滤层(Filter0至Filter3)。每个防火墙过滤层对应不同类型的访问端，例如，CPU对应的防火墙过滤层为Filter0，GPU对应的防火墙过滤层为Filter1，DMA/DPC对应的防火墙过滤层为Filter2，Filter3并未示出。本公开并不限制于此，防火墙数量和对应的访问端类型可以根据实际需求进行调整。As shown in FIG8 , the hardware firewall in the chip includes: multiple firewall filter layers (Filter0 to Filter3). Each firewall filter layer corresponds to a different type of access terminal. For example, the firewall filter layer corresponding to the CPU is Filter0, the firewall filter layer corresponding to the GPU is Filter1, the firewall filter layer corresponding to the DMA/DPC is Filter2, and Filter3 is not shown. The present disclosure is not limited to this, and the number of firewalls and the corresponding access terminal types can be adjusted according to actual needs.

在本实施例中，每个防火墙过滤层对应一个或多个访问端，每个所述防火墙过滤层对应多个访问区域，每个所述访问区域预先配置有允许访问的权限标识和对应访问权限的映射关系。In this embodiment, each firewall filter layer corresponds to one or more access terminals, each of the firewall filter layers corresponds to multiple access areas, and each of the access areas is pre-configured with a mapping relationship between a permission identifier for allowed access and corresponding access rights.

在本实施例中，防火墙过滤层，配置为从对应的访问端接收用于访问被访问端的访问请求，并根据所述访问请求中携带的权限标识和访问地址从对应的被访问端的多个访问区域中确定目标访问区域，根据所述权限标识和所述目标访问区域确定所述访问请求的访问权限。In this embodiment, the firewall filtering layer is configured to receive an access request for accessing the accessed end from the corresponding access end, and determine a target access area from multiple access areas of the corresponding accessed end based on the permission identifier and access address carried in the access request, and determine the access rights of the access request based on the permission identifier and the target access area.

进一步的，每个访问区域对应被访问端(如DDR内存)的一段地址范围，不同防火墙过滤层中访问区域对应的地址范围可能发生重合，如图8中的region1和region3，对应的DDR地址范围都为A1至A2区域。Furthermore, each access area corresponds to an address range of the accessed end (such as DDR memory), and the address ranges corresponding to the access areas in different firewall filtering layers may overlap. For example, region1 and region3 in Figure 8 correspond to the DDR address range of area A1 to A2.

在一示例性实施例中，防火墙可以设置为支持4个过滤层(Filter)和支持9个访问区域(region)，Filter外接访问端(master)，例如CPU、GPU、DPC、VPU等，根据访问地址和ID可以确认其是否可读写对应的访问区域。In an exemplary embodiment, the firewall can be set to support 4 filter layers (Filter) and 9 access areas (regions). The Filter external access terminal (master), such as CPU, GPU, DPC, VPU, etc., can confirm whether it can read and write the corresponding access area based on the access address and ID.

在一示例性实施例中，可以为多个防火墙过滤层设置一个通用的基本访问区域(如region0)，不在Region1至Region8范围内的地址，都属于region0。进一步的，该基本访问区域可以设置为最低权限，仅保留数据共享区域的读写权限，但本公开并不限制于此，权限内容可以根据实际需求进行调整。In an exemplary embodiment, a common basic access area (such as region 0) can be set for multiple firewall filter layers, and addresses that are not in the range of Region 1 to Region 8 belong to region 0. Further, the basic access area can be set to the lowest authority, retaining only the read and write authority of the data sharing area, but the present disclosure is not limited to this, and the authority content can be adjusted according to actual needs.

在一示例性实施例中，硬件防火墙位于被访问端与片上网络(Network On Chip，简称NoC)之间；硬件防火墙与所述被访问端处于同一功能安全等级域，所述功能安全等级域是根据预设的安全等级规范划分的。In an exemplary embodiment, a hardware firewall is located between an accessed end and a network on chip (Network On Chip, NoC for short); the hardware firewall and the accessed end are in the same functional safety level domain, and the functional safety level domain is divided according to a preset security level specification.

进一步的，防火墙过滤层可以设置在内存DDR的接口处，片上网络会根据访问端的设备类型，将访问请求发送到与访问端对应的防火墙过滤层，并通过防火墙过滤层对访问权限进行控制过滤得到。Furthermore, a firewall filter layer can be set at the interface of the memory DDR. The on-chip network will send the access request to the firewall filter layer corresponding to the access end according to the device type of the access end, and control and filter the access rights through the firewall filter layer.

在一示例性实施例中，防火墙过滤层还包括：访问寄存器，配置为分别存储所述多个访问区域中对应的允许访问的权限标识和访问权限的映射关系。In an exemplary embodiment, the firewall filtering layer further includes: an access register configured to store mapping relationships between corresponding permission identifiers and access permissions allowed in the multiple access areas, respectively.

在一示例性实施例中，如果某个Region要限制除了某一个权限标识(ID)可以访问，其它ID都拒绝，则该Region必须跨所有有效Filter。每一个Region，可以对所有16个ID做控制。In an exemplary embodiment, if a region is to restrict access to a certain ID and deny access to other IDs, the region must cross all valid filters. Each region can control all 16 IDs.

进一步的，如果访问端个数大于预设数量，例如16，权限一致的多个访问端可以共用1个ID。ID相同的访问端根据设备类型可以被分到不同的过滤层中。Furthermore, if the number of access terminals is greater than a preset number, such as 16, multiple access terminals with the same authority can share one ID. Access terminals with the same ID can be divided into different filtering layers according to device type.

在一示例性实施例中，访问可分为安全访问和非安全访问，其安全属性由发起访问请求的访问端或业务模块确定。通常情况下，防火墙对安全访问的权限控制为读/写；对于非安全访问，需要进一步根据ID来控制权限为读/写。In an exemplary embodiment, access can be divided into secure access and non-secure access, and its security attributes are determined by the access end or business module that initiates the access request. Generally, the firewall controls the permission of secure access as read/write; for non-secure access, it is necessary to further control the permission as read/write based on the ID.

在一示例性实施例中，每个访问端的ID都软件可配,即可以在系统启动时静态配置。 In an exemplary embodiment, the ID of each access terminal is software configurable, that is, it can be statically configured when the system starts.

图9是根据本公开实施例的对多个访问端权限标识进行配置的示意图。如图9所示，每个功能安全等级域内的访问端的权限标识(ID)由域内安全等级最高的业务模块进行配置，即IDs_conf模块。Figure 9 is a schematic diagram of configuring multiple access terminal authority identifiers according to an embodiment of the present disclosure. As shown in Figure 9, the authority identifier (ID) of the access terminal in each functional security level domain is configured by the business module with the highest security level in the domain, namely the IDs_conf module.

在一示例性实施例中，整个系统分为两块：高性能计算域(左边)和车规域(右边)，分别在每个功能安全等级域内设置一组寄存器，对所在区域的所有访问端/业务模块的ID进行配置。In an exemplary embodiment, the entire system is divided into two parts: a high-performance computing domain (on the left) and an automotive-regulatory domain (on the right). A set of registers is set in each functional safety level domain to configure the IDs of all access terminals/business modules in the area.

进一步的，在高性能计算域中，可以由高安全功能的硬件安全模块HSM进行配置，车规域由R核处理器进行配置。该配置的灵活性比较高，通用性强。Furthermore, in the high-performance computing domain, it can be configured by a hardware security module HSM with high security functions, and in the automotive domain, it can be configured by an R-core processor. This configuration is relatively flexible and versatile.

在一示例性实施例中，高性能计算域(左边)的ID配置主要涉及信息安全，如GPU、VPU、DMA等，其ID一般可以在出厂前可以确定下来。而车规域(右边)安全等级要求高，主要涉及功能安全，访问端的业务包含安全和非安全业务，且不同厂商的业务不太相同，因此车规域的ID不需要固定，在系统启动时进行静态配置即可。In an exemplary embodiment, the ID configuration of the high-performance computing domain (left) mainly involves information security, such as GPU, VPU, DMA, etc., and its ID can generally be determined before leaving the factory. The automotive domain (right) has high security requirements and mainly involves functional safety. The services of the access end include security and non-security services, and the services of different manufacturers are not the same. Therefore, the ID of the automotive domain does not need to be fixed and can be statically configured when the system starts.

在一示例性实施例中，在需要进行ID配置的访问端/业务模块数量较少时，每个模块可以配置不同的ID，当需要ID配置的模块较多时，则可以采用分组控制的方法，为访问权限相同的业务模块配置同一ID，从而减少访问控制和权限确定的复杂度。In an exemplary embodiment, when the number of access terminals/business modules that require ID configuration is small, each module can be configured with a different ID. When there are many modules that require ID configuration, a group control method can be used to configure the same ID for business modules with the same access rights, thereby reducing the complexity of access control and permission determination.

图10是根据本公开实施例的防火墙访问控制的详细流程示意图。如图10所示，该流程包括以下步骤：FIG10 is a detailed flow diagram of firewall access control according to an embodiment of the present disclosure. As shown in FIG10 , the flow includes the following steps:

步骤S1001，每个Filter进来的访问请求，从Region1开始对地址进行比对，如果地址位于该Region，且该Region在当前Filter是生效的，则开始下一步。Step S1001, for each access request coming in through the Filter, the address is compared starting from Region 1. If the address is located in the Region and the Region is valid in the current Filter, the next step is started.

步骤S1002，如果Region1不匹配，则M+1，对下一个Region进行比对，依次循环，如果所有Region都无法匹配，则使用Region 0对该Filter进行权限控制。Step S1002, if Region 1 does not match, then M+1, compare the next Region, and cycle in sequence. If all Regions cannot match, use Region 0 to control the permission of the Filter.

步骤S1003，判断访问的安全属性，如果为安全状态，则读取该region的访问寄存器查看当前访问是否允许，其中1为允许，0位拒绝。Step S1003, determine the security attribute of the access, if it is a secure state, read the access register of the region to check whether the current access is allowed, where 1 is allowed and 0 is denied.

步骤S1004，若为非安全访问，则根据该region的访问寄存器判断访问源的ID是否被配置在该区域内，如果配置，则进一步查看该ID的访问权限，是可读/可写还是可读写。Step S1004, if it is a non-secure access, determine whether the ID of the access source is configured in the region according to the access register of the region. If configured, further check the access rights of the ID, whether it is read/write or read-write.

在一示例性实施例中，步骤S1001和步骤S1002还可以针对性的对该Filter中配置Region进行匹配，在没有匹配到Region的情况下，使用基本访问区域(Region 0)进行权限控制。In an exemplary embodiment, step S1001 and step S1002 can also specifically match the Region configured in the Filter. If no Region is matched, the basic access area (Region 0) is used for permission control.

在本实施例中，步骤S1004中的访问寄存器仅对该访问区域允许访问的ID进行配置，在ID没有被配置该访问区域下时，拒绝本次访问请求。In this embodiment, the access register in step S1004 is configured only for the ID that is allowed to access the access area, and when the ID is not configured in the access area, the access request is rejected.

通过本公开实施例，可以实现对被访问端的信息过滤，保障关键安全区域的数据安全，防止访问权限被篡改。通过ID和Region的结合实现对细粒度的访问控制，能更加安全有效的保护不同安全等级的访问区域。Through the disclosed embodiments, it is possible to filter the information of the accessed end, ensure the data security of key security areas, and prevent access rights from being tampered with. Fine-grained access control can be achieved through the combination of ID and Region, which can more safely and effectively protect access areas of different security levels.

本公开的实施例还提供了一种计算机可读存储介质，该计算机可读存储介质中存储有计算机程序，其中，该计算机程序被处理器运行时执行上述任一项方法实施例中的步骤。An embodiment of the present disclosure further provides a computer-readable storage medium, in which a computer program is stored. When the computer program is executed by a processor, the steps of any of the above method embodiments are executed.

在一个示例性实施例中，上述计算机可读存储介质可以包括但不限于：U盘、只读存储器(Read-Only Memory，简称为ROM)、随机存取存储器(Random Access Memory，简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。In an exemplary embodiment, the computer-readable storage medium may include, but is not limited to: a USB flash drive, a read-only storage medium, Various media that can store computer programs include Read-Only Memory (ROM), Random Access Memory (RAM), mobile hard disk, magnetic disk or CD, etc.

本公开的实施例还提供了一种电子装置，包括存储器和处理器，该存储器中存储有计算机程序，该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。An embodiment of the present disclosure further provides an electronic device, including a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.

在一个示例性实施例中，上述电子装置还可以包括传输设备以及输入输出设备，其中，该传输设备和上述处理器连接，该输入输出设备和上述处理器连接。In an exemplary embodiment, the electronic device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.

本实施例中的具体示例可以参考上述实施例及示例性实施方式中所描述的示例，本实施例在此不再赘述。For specific examples in this embodiment, reference may be made to the examples described in the above embodiments and exemplary implementation modes, and this embodiment will not be described in detail herein.

显然，本领域的技术人员应该明白，上述的本公开的各模块或各步骤可以用通用的计算装置来实现，它们可以集中在单个的计算装置上，或者分布在多个计算装置所组成的网络上，它们可以用计算装置可执行的程序代码来实现，从而，可以将它们存储在存储装置中由计算装置来执行，并且在某些情况下，可以以不同于此处的顺序执行所示出或描述的步骤，或者将它们分别制作成各个集成电路模块，或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样，本公开不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the present disclosure can be implemented by a general computing device, they can be concentrated on a single computing device, or distributed on a network composed of multiple computing devices, they can be implemented by a program code executable by a computing device, so that they can be stored in a storage device and executed by the computing device, and in some cases, the steps shown or described can be executed in a different order than here, or they can be made into individual integrated circuit modules, or multiple modules or steps therein can be made into a single integrated circuit module for implementation. Thus, the present disclosure is not limited to any specific combination of hardware and software.

以上所述仅为本公开的优选实施例而已，并不用于限制本公开，对于本领域的技术人员来说，本公开可以有各种更改和变化。凡在本公开的原则之内，所作的任何修改、等同替换、改进等，均应包含在本公开的保护范围之内。 The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure. For those skilled in the art, the present disclosure may have various modifications and variations. Any modification, equivalent replacement, improvement, etc. made within the principles of the present disclosure shall be included in the protection scope of the present disclosure.

Claims

An access control method implemented by a hardware firewall, the method comprising:

Receiving, through a firewall filtering layer corresponding to the access end, an access request initiated by the access end to the accessed end, wherein the access request carries an authority identifier and an access address;

Determine a target access area from a plurality of access areas of the accessed end corresponding to the firewall filtering layer according to the access address;

The access permission of the access request is determined according to the permission identifier and the target access area, wherein each access area is pre-configured with a mapping relationship between the permission identifier allowed to access and the corresponding access permission.

The method according to claim 1, wherein before receiving, through a firewall filtering layer corresponding to the access terminal, an access request initiated by the access terminal to the accessed terminal, the method further comprises:

Set the firewall filter layer corresponding to each device type according to the device type of the access end;

Configuring a plurality of access zones for each of the firewall filter layers, wherein the plurality of access zones have different address ranges;

A mapping relationship between an access permission identifier and the access permission is configured for each access area.

The method according to claim 1, wherein determining the target access area from a plurality of access areas corresponding to the firewall filtering layer according to the access address comprises:

matching the access address with the address range of each access area in the plurality of access areas respectively;

An access area whose address range includes the access address is determined as a target access area.

The method according to claim 3, further comprising:

When the address ranges of the multiple access areas do not include the access address, a preset basic access area is determined as the target access area, wherein the basic access area is a part of the access area of the accessed end, and the basic access area is pre-configured with a mapping relationship between the permission identifier allowed to access and the corresponding access permission.

The method according to claim 1, wherein determining the access rights of the access request according to the permission identifier and the target access area comprises:

The pre-configured mapping relationship is queried according to the target access area, and the access permission corresponding to the permission identifier is determined as the access permission of the access request.

The access request also carries the security attributes of the access terminal or service module;

In a case where the security attribute is secure, determining that the access permission of the access request is a predetermined permission corresponding to the target access area;

In the case where the security attribute is non-secure, the pre-configured mapping relationship is queried according to the target access area, and the access permission corresponding to the permission identifier is determined as the access permission of the access request.

The method according to claim 1, further comprising:

If the access permission of the access request is determined to be not readable or writable, denying the access request;

In a case where the access right of the access request is determined to be at least one of read or write, the access request is permitted.

The method according to claim 1, wherein

The access terminal includes one or more service modules;

The access terminals and/or business modules with the same access rights have the same permission identifiers;

Access terminals and/or business modules with different access rights have different corresponding permission identifiers.

The method according to claim 8, wherein

According to the preset safety level specification, the chip system is divided into a plurality of preset functional safety level domains, wherein each functional safety level domain includes a plurality of access terminals and a plurality of accessed terminals;

Each functional safety level domain has a hardware firewall, wherein the hardware firewall is used to perform access control on the accessed end within the corresponding functional safety level domain;

The permission identifier of the access terminal and/or business module is configured by the business module with the highest security level in the functional security level domain.

The method according to claim 1, wherein, before determining the access rights of the access request according to the permission identifier and the target access area, the method further comprises:

The virtual address in the access request is converted into a physical address through a page table in a memory management unit MMU or a system management unit SMMU, wherein the access address is a physical address.

The method according to any one of claims 1 to 10, wherein

The access end includes at least one of the following: a central processing unit CPU, a graphics processing unit GPU, a video processing unit VPU, a storage device, a neural network processor NPU, a hardware security module HSM, a security encryption and decryption engine, a direct memory access DMA and an external device;

The accessed end includes at least one of the following: a storage device and a peripheral register.

An in-chip hardware firewall, comprising:

Multiple firewall filter layers, wherein each of the firewall filter layers corresponds to one or more access terminals, each of the firewall filter layers corresponds to multiple access areas, and each of the access areas is pre-configured with a mapping relationship between a permission identifier allowed to access and a corresponding access permission;

The firewall filtering layer is configured to receive an access request for accessing the accessed end from the corresponding access end, and determine a target access area from multiple access areas of the corresponding accessed end according to the permission identifier and access address carried in the access request, and determine the access rights of the access request according to the permission identifier and the target access area.

The hardware firewall according to claim 12, wherein:

The hardware firewall is located between the accessed end and the on-chip network;

The hardware firewall and the accessed end are in the same functional safety level domain, and the functional safety level domain is divided according to a preset security level specification.

The hardware firewall according to claim 12, wherein the firewall filtering layer further comprises:

The access register is configured to store the mapping relationship between the corresponding permission identifiers and access permissions of the multiple access areas.

A computer-readable storage medium, wherein a computer program is stored in the storage medium, wherein the computer program executes the method described in any one of claims 1 to 11 when executed by a processor.

An electronic device comprises a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program to execute the method according to any one of claims 1 to 11.